Legacy ImageMagick Discussions Archive

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: a2d7a71ee37dca68f32bd2ed4e9c7299a6d78a77

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Faulting input: https://frankowicz.me/storage/crashes/im_negative_size_RemoveResolutionFromResourceBlock

Command: convert im_negative_size ...

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: f0d6dde21d77905c0c3769c2d3491365d518c844

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Crashing file: https://frankowicz.me/storage/crashes/im_uaf_GetPixelInfoPixel

Command: convert im_uaf_GetPixelInfoPixel /dev/null

ASAN ...

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: 4e46ad9dd95d68c1c8c630e6d27338ae3f57d5c7

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command: convert im_hbo_GetNextToken.svg /dev/null

Faulting input: https://frankowicz.me/storage/crashes/im_hbo_GetNextToken.svg

ASAN:

==6443 ...

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: 4e46ad9dd95d68c1c8c630e6d27338ae3f57d5c7

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command:

convert im_nullptr_GetJPEGMethod /dev/null

Faulting input: https://frankowicz.me/storage/crashes/im_nullptr_GetJPEGMethod

ASAN ...

fumfel

Reply from LibTIFF developer: http://bugzilla.maptools.org/show_bug.cgi?id=2730#c3

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: b0323e6509f4530a228c8788db11a49ff9255b69

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command: convert im_hbo_TracePoint /dev/null

Faulting input: https://frankowicz.me/storage/crashes/im_hbo_TracePoint.svg

ASAN:

==21950==ERROR ...

fumfel

More details and faulting test case: http://bugzilla.maptools.org/show_bug.cgi?id=2730

fumfel

With '--disable-openmp' switch, problem doesn't exists.

fumfel

After some fuzz testing I found a crashing test case.

Git HEAD: eb56534ac870d9a5b8a6e7db8d32c0e76ae65924

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command: convert im_hoobr_omp_outlined.eps null

Faulting input: https://frankowicz.me/storage/crashes/im_hoobr_omp_outlined.eps

ASAN:

==13673 ...

fumfel

IM Version (compiled from source):
Version: ImageMagick 7.0.3-0 Q16 x86_64 2016-09-14 http://www.imagemagick.org

Source file

To reproduce:
convert crash.dib a.jpg
LeakSanitizer output:
==535==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4160 byte(s) in 1 object(s) allocated ...

fumfel

IM Version (compiled from source):
Version: ImageMagick 7.0.3-0 Q16 x86_64 2016-09-14 http://www.imagemagick.org

Source file

To reproduce:
convert crash.gif a.jpg
LeakSanitizer output:
==32663==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13304 byte(s) in 1 object(s ...

fumfel

When I try convert malformed WPG image, ImageMagick leaks memory in WPG parser.

IM Version (compiled from source):
Version: ImageMagick 7.0.3-0 Q16 x86_64 2016-09-14 http://www.imagemagick.org

Source file

To reproduce:
convert crash.wpg a.jpg
LeakSanitizer Output:
==19859==ERROR ...

Legacy ImageMagick Discussions Archive

Search found 12 matches

Negative size parameter in RemoveResolutionFromResourceBlock()

Use after free in GetPixelInfoPixel()

Heap buffer overflow in GetNextToken()

Null pointer dereference in GetJPEGMethod()

Re: Use-after-free in TIFFSetField()

Heap buffer overflow in TracePoint()

Use-after-free in TIFFSetField()

Re: Heap out of bounds read in .omp_outlined..68()

Heap out of bounds read in .omp_outlined..68()

Memory leak in API

Memory leak in GIF parser

Memory leak in WPG parser